Change interface mode
Daniel Lenski
dlenski at gmail.com
Thu Oct 22 12:23:05 EDT 2020
On Wed, Oct 21, 2020 at 2:31 PM Beau Barker <bbarker at karasent.com> wrote:
>
> Is it possible to change the interface mode to TAP?
No. Even if OpenConnect (the client software) wanted to support this
TAP/Layer2 mode, there is no compatible server (Cisco or ocserv) which
supports such a mode.
See https://lists.infradead.org/pipermail/openconnect-devel/2015-February/002774.html
and https://www.mail-archive.com/openconnect-devel@lists.infradead.org/msg01071.html
for more discussion.
> I have a device that needs to connect to a remote server via VPN tunnel. The device cannot establish a VPN connection on its own and it reports the IP address it is assigned to the server for communication.
That's generally a bad protocol design, to send IP information at the
application layer and rely on being able to communicate back to the
same IP, or expecting it to match the incoming IP. I thought those
kinds of protocols were mostly fixed or replaced in the 90s/00s, when
IPv4 NAT became pervasive…?
> I have configured a Raspberry PI to establish the VPN tunnel and forward traffic in NAT mode, but that isn't good enough since the device reports its private IP address.
It should be possible to trick/torture the device into thinking that
it has the same IP address as the Raspberry PI itself, by using
iptables address-rewriting rules and such.
More information about the openconnect-devel
mailing list